OCR’s HIPAA Guidance On Ransomware Puts Pressure On Providers

With the healthcare industry increasingly coming under attack from ransomware gambits, the Department of Health and Human Services’ Office for Civil Rights has released new HIPAA guidance on the risks of being victimized by file-encrypting malware.

The OCR’s guidance underscores the serious nature of ransomware and providers’ responsibility in preventing and recovering from such attacks.

“This document describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role the Health Insurance Portability and Accountability Act has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack,” states OCR.

The guidance re-emphasizes activities already required by HIPAA to help organizations prevent, detect, contain, and respond to such threats, including:

* Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;

“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware,” writes OCR Director Jocelyn Samuels in a July 11 blog. “The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals.”

According to Samuels, healthcare organizations must take steps to safeguard their data from ransomware attacks. “HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents,” she said.

Avi Rubin, director of the Health and Medical Security Lab at Johns Hopkins University, contends that ransomware is another cybersecurity tactic adopted by hackers to gain access to healthcare systems and hold the information hostage through encryption.

“These are all standard security measures that organizations should be employing anyway,” says Rubin. “If there is any silver lining on the proliferation of ransomware, it is that it’s serving as a wake-up call to the industry and getting people to actually implement security measures that are critical to protecting information and systems in today’s world.”

While Chris Ensey, COO of Dunbar Security Solutions, praised the OCR guidance for finally clearing up several common misconceptions regarding ransomware for HIPAA-regulated sectors, he argues that some parts of the guidance are unfortunately less prescriptive.

“The one area that is going to be a challenge for most organizations is the post-incident analysis,” says Ensey. “Very few healthcare organizations have access to malware analysis tools and expertise required to do deep forensic review.”

“The new ransomware guidance associated with HIPAA emphasizes classic security hygiene. That is a good thing, generally speaking,” says McGraw. “Many of the activities called out in the guidance can take place during development, when systems are being designed and implemented. For example, performing a risk analysis early in development is always more efficient and economical than performing a risk analysis on an already fielded system. That said, the problem with HIPAA as it stands today is that it tends to place too much emphasis on patient data, leaving not enough room for other things like medical device security.”